Over the last year, our SOC at AXS Guard encountered many magecart cases for online e-commerce stores in the Benelux.
For a while now, several notes of previous reverse engineering sessions were laying around. This article will go over two of these cases which highlight the differences in attacker capabilities where the same code is executed, only through different layers of obfuscation.
What is Magecarting?
Magecart is a popular attack that targets e-commerce stores with the goal of exfiltrating sensitive data. This often takes the form of stealing sensitive information that users pass into forms of which credit card information is the primary example. As a result, magecart attacks are also known as Form jacking or Web Skimming, but thanks it's name to the famous Magecart hacker group which started targeting major brands around 2015 [1].
The attack typically unfolds in two phases:
- First, the attacker exploits a vulnerable website, often an e-commerce platform, to inject malicious JavaScript into the page.
- In the second phase, this code skims the page’s content for sensitive data, such as credit card information. The stolen data is then exfiltrated to an attacker-controlled server, where it may eventually be sold on the dark web [3].
Detecting Magecart infections is particularly challenging because they are client-side attacks. The malicious (often obfuscated) code is typically embedded within legitimate code, making it hard to distinguish. In some cases, the attacker’s script isn’t even present during the initial page load—it’s dynamically loaded from an external domain. As a result, these types of attacks can go undetected for long periods, causing significant damage in the meantime.
Infection vectors
For a site to become infected, an initial foothold is needed into the online shop.
This section aims to concisely list some of the most popular initial infection vectors.
» Read more*
*Rest of article in EN
Field notes from the SOC - 2- Magecarting still haunts online stores to this day